Keyboard for secure data entry

ABSTRACT

A keyboard for secure data entry is provided. The keyboard comprises at least one or more of data entry buttons that can be depressed by a user. For each of the data entry buttons, a button actuator is provided that is movable upon the user depressing the respective data entry button and a primary capacitive sensor is provided that is arranged to determine movement of the button actuator of the respective data entry button by capacitance sampling. The button actuator is at least partly made from a conductive material. The button actuator is coupled to a defined electric potential at least during the capacitance sampling to shield the primary capacitive sensor from eavesdropping.

RELATED APPLICATIONS

The present application claims priority to CN Patent Application No.201910188334.9 filed Mar. 13, 2019, the contents of which are herebyincorporated in their entirety.

TECHNICAL FIELD

The present invention relates to the field of keyboards for secure dataentry.

BACKGROUND

This background section is provided for the purpose of generallydescribing the context of the disclosure. Work of the presently namedinventor(s), to the extent the work is described in this backgroundsection, as well as aspects of the description that may not otherwisequalify as prior art at the time of filing, are neither expressly norimpliedly admitted as prior art against the present disclosure.

In the field of computer technology, a possibility for secure andreliable entry of data is a necessity for a multitude of applications,such as in particular for authentication purposes to gain access to anelectronic or a physical resource.

For example, in Point-of-Sale (POS) or building access systems, a useris often required to enter a passcode or PIN. This passcode entry needson the one hand to be reliable to allow the user to gain accessconveniently, on the other hand, security of the entry needs to bemaintained. In both of the preceding examples, the respective passcodeentry may be conducted in a public place. Due to that, correspondingpasscode entry systems may be tampered with by a malicious third partyto obtain the passcode and to gain access to the respective resource.

For example, it may be possible for a third party to try scanning thePIN entry using a so-called “side-channel attack”. This traditional keyarray scan method allows to scan for signal changes, e.g., high/lowlevel changes on a keypad's column and row circuit. It is relativelyeasy to monitor such changes using a side-channel attack that is widelyavailable.

To solve the problem of side-channel scanning, a known solution is toprotect the keypad input from being monitored by using a flexible maskwith printed silver paste conductors, placed on top of a typical buttondome array of the keypad. The silver paste mask is connected to internalanti-tamper pins to form an active shield mask. This solution howeverprovides frequent bending of the silver paste mask during the assemblyprocess and during use, which may lead to reliability problems. Inaddition, the cost of this kind of arrangement is quite high.

SUMMARY

The following summary of the present invention is provided to facilitatean understanding of some of the innovative features unique to thepresent invention and is not intended to be a full description. A fullappreciation of the various aspects of the invention can be gained bytaking the entire specification, claims, drawings, and abstract as awhole.

In light of the preceding discussion, a need exists to provide animproved keyboard that allows reliable, secure data entry and preventseavesdropping by a malicious third party.

The invention, as defined in the independent claims, provides animproved keyboard for secure data entry, a point-of-sale device, and amethod of secure data entry. Embodiments of the invention are discussedin the dependent claims and the following description.

According to one aspect of the present invention, a keyboard for securedata entry is provided. The keyboard comprises at least one or more ofdata entry buttons that can be depressed by a user, and for each of thedata entry buttons, a button actuator, movable upon the user depressingthe respective data entry button, and a primary capacitive sensor,arranged to determine movement of the button actuator of the respectivedata entry button by capacitance sampling. According to the presentaspect, the button actuator is at least partly made from a conductivematerial, and the button actuator is coupled to a defined electricpotential at least during the capacitance sampling to shield the primarycapacitive sensor from eavesdropping.

According to another aspect of the present invention, a point-of-sale(POS) device is provided, comprising at least a POS transactionprocessor, one or more of data entry buttons that can be depressed by auser, and for each of the data entry buttons, a button actuator, movableupon the user depressing the respective data entry button, and a primarycapacitive sensor, arranged to determine movement of the button actuatorof the respective data entry button by capacitance sampling. The buttonactuator is at least partly made from a conductive material, and thebutton actuator is coupled to a defined electric potential at leastduring the capacitance sampling to shield the primary capacitive sensorfrom eavesdropping.

According to yet another aspect of the present invention, a method ofsecure data entry with a keyboard having one or more of data entrybuttons that can be depressed by a user is provided. In the presentaspect, for each of the data entry buttons, a button actuator, and aprimary capacitive sensor is provided. The method comprises a) samplingof the primary capacitive sensor to determine movement of the buttonactuator, and b) at least during the sampling, coupling the buttonactuator to a defined electric potential to shield the primarycapacitive sensor from eavesdropping.

The basic idea of the aforementioned aspects of the present invention isto provide a keyboard for secure data entry having capacitive sensors todetermine if a data entry button of the keyboard is depressed by a user,which keyboard uses a button actuator of each data entry button to atleast temporarily provide a shield against eavesdropping by maliciousthird parties. Thus, a secure data entry is possible with a highlyreliable and cost-efficient setup.

The above aspects and other aspects of the invention will be apparentfrom and elucidated with reference to the embodiments describedhereinafter.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings,

FIG. 1 shows a first embodiment of a point-of-sale (POS) device;

FIG. 2 shows a schematic block diagram of the POS device according tothe embodiment of FIG. 1;

FIG. 3 shows a partial, exploded view of an embodiment of a keyboard;

FIG. 4 shows a schematic top-view of an intermediate PCB layer of thekeyboard of the embodiment of FIG. 3;

FIG. 5 shows a schematic top-view of a top PCB layer of the keyboard ofthe embodiment of FIG. 3;

FIG. 6 shows a schematic top-view of a bottom PCB layer of the keyboardof the embodiment of FIG. 3;

FIG. 7 shows a flow chart of the operation when tampering is detected;and

FIG. 8 shows embodiments of a button actuator for the keyboard of FIG.3.

DETAILED DESCRIPTION

Technical features described in this application can be used toconstruct various embodiments of keyboards for secure data entry,point-of-sale devices, and methods of secure data entry. Someembodiments of the invention are discussed so as to enable one skilledin the art to make and use the invention.

In a first exemplary aspect, a keyboard for secure data entry isprovided. The keyboard comprises at least one or more data entry buttonsthat can be depressed by a user. For each of the data entry buttons, abutton actuator is provided, which button actuator is movable upon theuser depressing the respective data entry button. In addition, for eachof the data entry buttons, a primary capacitive sensor is provided,arranged to determine movement of the button actuator of the respectivedata entry button by capacitance sampling. According to the presentaspect, the button actuator is at least partly made from a conductivematerial, and the button actuator is coupled to a defined electricpotential at least during the capacitance sampling to shield the primarycapacitive sensor from eavesdropping.

The keyboard according to the present aspect may be of any suitabletype. In some embodiments, the keyboard is a computer keyboard, forexample a QUERTY-type keyboard. In some embodiments, the keyboard isconfigured as a numeric keyboard, also referred to as a numeric keypador number pad. In some embodiments, the data entry buttons are arrangedin a matrix, for example a 3×3 matrix.

As discussed in the preceding, the keyboard according to the presentaspect comprises one or more data entry buttons that can be depressed bythe user, i.e., that are user-operable. The data entry buttons may be ofany suitable type and material, depending on the application, such asfor example plastic or metal in a square or round shape. The keyboardfurther comprises for each data entry button, an associated buttonactuator that is movable upon a user operating/depressing the respectivedata entry button. The button actuator is at least in part made fromconductive material, but otherwise may of any suitable type. In someembodiments, the button actuator is made from a metal, plastic, or acombination thereof. In some embodiments, the button actuator isdome-shaped, which allows deforming of the button actuator when a userdepresses the respective button.

The keyboard according to the present aspect further comprises for eachdata entry button, a primary capacitive sensor. The primary capacitivesensor serves to determine movement of the button actuator of therespective data entry button by capacitance sampling, i.e., bydetermining a change of the capacitance of the primary capacitivesensor. It is noted that in the present context, the term “movement”with respect to the button actuator is understood broadly and includesposition changes of the button actuator, but also deforming of thebutton actuator.

The primary capacitive sensor may be of any suitable type, various ofwhich are known in the art. In some embodiments, the primary capacitivesensor is a mutual-capacitance sensor, as for example described in U.S.Pat. Nos. 9,543,948 or 9,430,107, the entire contents of which areincorporated herein by reference. In some embodiments, the primarycapacitive sensor is a self-capacitance sensor.

According to the present aspect, the button actuator is coupled to adefined electric potential at least during the capacitance sampling ofthe primary capacitive sensor. This way, the button actuator, or moreprecisely the conductive parts of the button actuator, serve as anactive shield to the primary capacitive sensor, so that eavesdropping ormonitoring on the electric changes in the primary capacitive sensor in atypical side-channel attack is much more difficult.

For example, and in some embodiments, the button actuator is coupled orconnected to ground potential at least during the capacitive sampling.In other embodiments, the button actuator is coupled to a potential,different from ground potential at least during capacitive sampling. Insome embodiments, the button actuator is not only coupled to the definedelectric potential during the capacitance sampling, but for longerperiods. In some embodiments, the button actuator is coupled to thedefined electric potential permanently when the keyboard is operational,i.e., powered-up.

In some embodiments, the button actuator of the respective button iscoupled to the defined electric potential at least during thecapacitance sampling. In some embodiments, the button actuators of alldata entry buttons are coupled to the defined electric potential atleast during the capacitance sampling. The latter embodiments provide afurther improved shielding functionality.

In some embodiments, the keyboard may comprise additional components,such as, for example, one or more of a housing, a processor, a suitablepower supply, a display, memory, credit card reader, printer, and aninterface to a communications network. It is noted that in someembodiments, the keyboard, in addition to the one or more data entrybuttons, may comprise one or more additional buttons, which do notcomprise the button actuator and/or primary capacitive sensor asdiscussed in the preceding. For example, in a typical Point-of-Sale(POS) credit card terminal application, the keyboard may comprise a 3×3matrix of (secure) data entry buttons as discussed, but also a poweron/off button and a ‘print’ button, which may be of a typical,non-secure type.

In some embodiments, the keyboard comprises a keyboard controller,configured to control at least the capacitance sampling of the primarycapacitive sensor and to couple the button actuator to the definedelectric potential at least during the capacitance sampling. Thekeyboard controller may be of any suitable type, comprising amicrocontroller or a microprocessor without limitation.

In some embodiments, each data entry button comprises a button cap thatcan be depressed by the user, which button cap is arranged on a firstside of the respectively associated button actuator. In someembodiments, the primary capacitive sensor is arranged on a second sideof the button actuator, opposite to the first side thereof.

In some embodiments, the keyboard further comprises a shield removaldetection circuit to determine tampering with one or more of the buttonactuators. The determination of tampering in this context may comprise,without limitation, removal of one or more of the button actuatorsand/or the buttons. In some embodiments where the keyboard comprisesbutton caps, the determination of tampering may further comprise adetection of a direct contact of one of the button actuators by a humanor by a conductive probe, since this would be indicative of the removalof the respective plastic button cap of the button. The precedingembodiments further increase the security of the keyboard.

In some embodiments, the shield removal detection circuit is configuredto erase data and/or suspend operation of the keyboard when tampering isdetected. In some embodiments, a tampering indicator, such as acorresponding LED, is activated. In some embodiments, a tamperingindicator message is provided to a remote server in case tampering isdetected. In some embodiments, the keyboard controller is connected tothe shield removal detection circuit and is configured to control theoperation of the shield removal detection circuit.

The shield removal detection circuit may be of any suitable type. Insome embodiments, the shield removal detection circuit comprises, foreach of the data entry buttons, a secondary capacitive sensor. Thesecondary capacitive sensor may be of any suitable type, for example, amutual-capacitance sensor or a self capacitance sensor. It is noted thatin some embodiments, the secondary capacitive sensor may not beconfigured to determine, whether a button was pressed by the user, butonly to determine tampering with one of the button actuators.

In some embodiments, the secondary capacitive sensor is arranged betweenthe button actuator and the primary capacitive sensor. The presentembodiments result in a very compact setup.

In some embodiments, the keyboard comprises at least one printed circuitboard, which printed circuit board comprises one or more of the primarycapacitive sensor and the secondary capacitive sensor. In particular andin some embodiments, the primary capacitive sensor is arranged in anintermediate layer of the printed circuit board. The latter setupfurther increases the reliability of the keyboard, as dust or otherenvironmental influences do not interfere with the detection of theuser's button press.

According to another aspect, a point-of-sale (POS) device is providedthat comprises at least a POS transaction processor and one or more ofdata entry buttons that can be depressed by a user. The POS devicefurther comprises for each of the data entry buttons a button actuator,movable upon the user depressing the respective button; and a primarycapacitive sensor, arranged to determine movement of the button actuatorof the respective data entry button by capacitance sampling. Accordingto this aspect, the button actuator is at least partly made from aconductive material; and the button actuator is coupled to a definedelectric potential at least during the capacitance sampling to shieldthe primary capacitive sensor from eavesdropping.

The POS device according to the present aspect and in furtherembodiments may be configured according to one or more of theembodiments, discussed in the preceding with reference to the precedingaspect. With respect to the terms used for the description of thepresent aspect and their definitions, reference is made to thediscussion of the preceding aspect.

In some embodiments, the POS transaction processor is configured toprocess credit card transactions of a connected credit card reader.

According to another aspect, a method of secure data entry with akeyboard is provided. The keyboard comprises one or more of data entrybuttons that can be depressed by a user; and for each of the data entrybuttons, a button actuator, movable upon the user depressing therespective data entry button and being at least partly made from aconductive material; and a primary capacitive sensor. The method of thisaspect comprises sampling of the primary capacitive sensor to determinemovement of the button actuator; and at least during the sampling,coupling or connecting the button actuator to a defined electricpotential to shield the primary capacitive sensor from eavesdropping.

The method according to the present aspect and in further embodimentsmay be configured according to one or more of the embodiments, discussedin the preceding with reference to the preceding aspects. With respectto the terms used for the description of the present aspect and theirdefinitions, reference is made to the discussion of the precedingaspects. In some embodiments, the preceding method steps of sampling ofthe primary capacitive sensor to determine movement of the buttonactuator; and at least during the sampling, coupling the button actuatorto a defined electric potential to shield the primary capacitive sensorfrom eavesdropping, are repeated during the operation of the keyboard.

Reference will now be made to the drawings in which the various elementsof embodiments will be given numerical designations and in which furtherembodiments will be discussed.

Specific references to components, sections, parts, process steps, andother elements are not intended to be limiting. Further, it isunderstood that like parts bear the same reference numerals, whenreferring to alternate figures. It is further noted that the figures areschematic and provided for guidance to the skilled reader and are notnecessarily drawn to scale. Rather, the various drawing scales, aspectratios, and numbers of components shown in the figures may be purposelydistorted to make certain features or relationships easier tounderstand.

As one of skill in the art will readily recognize, in the field ofaccess control, such as for electronic payments or access to anelectronic (e.g., computer access) or physical (e.g., building) resourceand in particular when entering a password, it is important that thepassword stays secure and is only known to the authorized user(s)thereof. In the recent past, malicious third parties have tried toobtain personal identification numbers (PINs) from point-of-sale (POS)credit card terminals by placing a “scanner” close to the terminal,which scanner traces low/high signal changes of a keypad's column androw circuits. In the following, an exemplary POS device 1 will bedescribed in more detail that comprises a keyboard for secure data entryand that reduces the chance of a successful scanning attack by amalicious third party.

FIG. 1 shows a first embodiment of a point-of-sale (POS) device/system1, i.e., a POS credit card/debit card processing terminal. The POSdevice 1 comprises a display 2, a magnetic card reader 3 a, a chipreader 3 b, and in particular, a keyboard 4 for secure data entry. FIG.2 shows a schematic block diagram of the POS device 1, which showsfurther components, namely a communication interface 5, POS processor 6,and power supply 7. The POS processor 6 controls the operation of thePOS device 1 and comprises a microprocessor and memory, the lattercomprising firmware, i.e., software to provide transaction processingfunctionality of the POS device 1. The communication interface 5 is awired/wireless LAN Ethernet interface for connection to a private orpublic network and serves, corresponding to typical POS device 1, totransmit transaction data to and to obtain an authorization for therespective transaction from a remote transaction processing server. ThePOS device 1 further comprises a power supply 7 for providing operatingpower to all other components of the device 1. So as not to obscure thedrawing, connections from and to the power supply 7 have been omitted inFIG. 2.

In the following, the setup of keyboard 4 is discussed in detail. Apartial, exploded view of the keyboard 4 is shown in FIG. 3. As shown inthe drawing, the keyboard 4 comprises a plurality of data entry buttons30, each comprising a plastic button cap 31 and a button actuator 32.Button actuator 32 in the present embodiment is dome-shaped and made ofmetal. The button actuator 32 is deformable when a user exerts force onit, i.e., upon depressing the respective data entry button 30 and isused to indicate that the respective button has been depressed. Buttonactuator 32 also acts as a spring so that the data entry button 30returns to its original position when the user's force is removed.

The keyboard 4 further comprises a multi-layer printed circuit board(PCB) 33. An intermediate layer 35 of the PCB comprises a plurality ofprimary capacitive sensors 40, i.e., one sensor 40 per button 30. Theprimary capacitive sensors 40 are used to detect whether the user hasdepressed the respective data entry button 30 by capacitive sampling.The primary capacitive sensors 40 are mutual-capacitance sensors.

FIG. 4 shows a schematic top-view of the intermediate PCB layer 35. Eachprimary capacitive sensor 40 comprises a transmission (TX) node 41 and areception (RX) node 42, which are connected with a keyboard controller43 in a row/column setup. It is noted that the keyboard controller 43 isplaced on the lowest PCB layer 37, which will be discussed in detail inthe following with reference to FIG. 6.

The keyboard controller 43 during capacitive sampling generates a pulsedelectric field between the transmission node 41 and the reception node42 of each primary capacitive sensor 40 and determines over multiplepulses, whether the electric field has changed. The electric fieldbetween the TX node 41 and RX node 42 in the present embodiment isinfluenced by the metallic button actuator 32. If the actuator 32 isdeformed by a user depressing the respective data entry button 30, theelectric field in the associated primary capacitive sensor 40 willchange, indicating that the button 30 was pressed by the user to thekeyboard controller, which in turn provides corresponding information toPOS processor 6.

The signal change of mutual-capacitive sensors 40 upon a user pressing abutton 30 is relatively small, compared to prior art keyboards usingelectric contacts. Thus, the possibility to monitor the signal change bya malicious third party is reduced. In addition, the present setupprovides a key depression detection that does not rely on an electricalcontact to be closed and opened, which provides a highly reliable setup,irrespective of environmental conditions, such as the presence of dust,moisture, etc., which may be problematic in a keyboard using electriccontacts.

To further reduce the possibility of eavesdropping on the internalsignals of the keyboard 4, the keyboard controller 34 couples themetallic button actuators 32 to ground potential during the capacitivesampling of the primary capacitive sensors 40. The metallic buttonactuators 32 thus form an active shield for the primary capacitivesensors 40.

A further active shielding function is provided by top PCB layer 34,which is shown in a schematic top view in FIG. 5. PCB layer 34 comprisessecondary capacitive sensors 50, which in the present embodiment areformed as self-capacitive sensors 50. The purpose of the secondarycapacitive sensors 50 is two-fold. On one hand, the secondary capacitivesensors 50 provide additional shielding for the primary capacitivesensors 40. On the other hand, the secondary capacitive sensors 50together with button actuators 32 form part of a shield removaldetection circuit 51 to allow a determination, whether the device 1 hasbeen tampered with, e.g., whether the metallic button actuators 32 thatshield the primary capacitive sensors 40 have been touched or removed.

The secondary capacitive sensors 50 are arranged on the top of theprimary capacitive sensors 40 and are connected to keyboard controller43 in five rows for cost-saving reasons. This is possible, since, asdiscussed in the preceding, the secondary capacitive sensors 50 are notdesigned to determined which button 30 is depressed by the user, but tomonitor if any button 30 has been tampered with, such as by removingbutton actuator 32 or top PCB layer 34 by a malicious person. Thesecondary capacitive sensors 50 also determine if the button actuators32 have been touched directly by a human or by a conductive probe, bothof which are indicative that the button caps 31 have been removed.

The secondary capacitive sensors 50 and the primary capacitive sensors40 are sampled in turn by the keyboard controller 43. During thecapacitive sampling of the primary capacitive sensors 40, the buttonactuators 30, via the secondary capacitive sensors 50 are controlled toground potential. During the capacitive sampling of the secondarycapacitive sensors 50, i.e., in normal operation, it is determined,whether a button actuator 32 is removed. It is noted, that the secondarycapacitive sensors 50 are not used to determine if the user presses onthe button cap 31. Instead, a signal change is determined, when thebutton actuator 32 is removed, or as mentioned, when the button actuator32 is touched directly. In these cases, the keyboard controller 43 willstop capacitive sampling and send an alert to POS processor 6 to removesecure data in the POS processor 6 and inform the remote transactionprocessing server of the evident tampering, as can be seen from the flowchart of FIG. 7.

As shown in FIG. 5, the top PCB layer 34, i.e., the area outside of thesecondary capacitive sensors 50, is connected to ground 52. PCB layer 34may comprise a continuous metallization or, e.g., a “hash-type”metallization, for a further improved shielding of the primarycapacitive sensors 50. A corresponding metallization is present on thebottom intermediate PCB layer 36 for additional shielding.

FIG. 6. shows a schematic top view of the bottom PCB layer 37. Asdiscussed in the preceding, layer 37 comprises the keyboard controller43 and comprises various connections to PCB layers 34 and 35 as well asto POS processor 6 using bus connection 60. Not shown in FIG. 6 arepower and miscellaneous connections.

FIG. 8 shows alternate embodiments for button actuator 32, marked withreference numerals 32 a and 32 b. The setup of button actuator 32 b willprevent the flat part of the actuator to approach the surface of the PCB34, resulting in less field change when the button actuator isdepressed. This setup provides a further improved resistance toeavesdropping.

The benefits of the described embodiment include a) an increasedsecurity against eavesdropping by using mutual-capacitance sensors,resulting in a relatively small signal change when a button is depressedby a user, b) insensitivity of the arrangement to environmentalconditions, in particular to dust, c) improved reliability as noelectric contacts are used for determining if a button is depressed, d)reduced cost compared to prior art designs using a silver paste mask,and e) employment of button actuators, acting as a spring to providehaptic feedback to the user.

While the invention has been illustrated and described in detail in thedrawings and foregoing description, such illustration and descriptionare to be considered illustrative or exemplary and not restrictive; theinvention is not limited to the disclosed embodiments. For example, itis possible to operate the invention in an embodiment in which:

-   -   (1) mutual-touch and self-touch sensors are combined to form a        secure keypad for a POS, resource (electronic or physical)        access application;    -   (2) mutual-touch sensors are embedded in an intermediate PCB        layer, arranged under every individual plastic button and the        mutual-touch sensors are designed to sample the minor mutual        capacitor change between a TX and a RX line;    -   (3) metal dome button actuators are coupled to GND when sampling        the mutual capacitor sensors and when a user presses the plastic        part of a button, this leads to the distortion of the metal        dome, and the distortion of the metal dome will lead to a change        of distance between the center part of the metal dome and the        PCB surface, which in turn causes a mutual capacitor change that        is sampled in this embodiment;    -   (4) self-touch sensors cover the top of every individual mutual        touch sensor and the self-touch sensors are divided into several        groups;    -   (5) the self-touch sensors are not designed to determine which        button is pressed by the user, but to monitor if any keypad had        been uncovered or touched by a person;    -   (6) self-touch sensors and mutual sensors are sampled in turn        and in normal operation, the self-touch senor will not lead to        self-signal change when user presses on the top of the plastic        part of the button;    -   (7) when the self-sensor detects a signal change (i.e., touch or        anti-touch signal), the touch controller will stop the mutual        touch sample timing, and send an alert to a main controller to        remove secure data in the POS; and/or    -   (8) a self-sensor pad is in contact with the metal dome to form        a self-sensor when in self sampling and/or coupled to GND when        in mutual sampling.

Other variations to the disclosed embodiments can be understood andeffected by those skilled in the art in practicing the claimedinvention, from a study of the drawings, the disclosure, and theappended claims. In the claims, the word “comprising” does not excludeother elements or steps, and the indefinite article “a” or “an” does notexclude a plurality. A single processor, module or other unit mayfulfill the functions of several items recited in the claims.

The mere fact that certain measures are recited in mutually differentdependent claims does not indicate that a combination of these measurescannot be used to advantage. A computer program may bestored/distributed on a suitable medium, such as an optical storagemedium or a solid-state medium supplied together with or as part ofother hardware, but may also be distributed in other forms, such as viathe Internet or other wired or wireless telecommunication systems. Anyreference signs in the claims should not be construed as limiting thescope.

The invention claimed is:
 1. A keyboard for secure data entry,comprising at least one or more of data entry buttons that can bedepressed by a user; and for each of the data entry buttons a buttonactuator, movable upon the user depressing the respective data entrybutton; and a primary capacitive sensor, arranged to determine movementof the button actuator of the respective data entry button bycapacitance sampling; wherein the button actuator is at least partlymade from a conductive material; and the button actuator is coupled to adefined electric potential at least during the capacitance sampling toshield the primary capacitive sensor from eavesdropping.
 2. The keyboardof claim 1, wherein the primary capacitive sensor is amutual-capacitance sensor.
 3. The keyboard of claim 1, furthercomprising a shield removal detection circuit to determine tamperingwith one or more of the button actuators.
 4. The keyboard of claim 3,wherein the shield removal detection circuit is configured to erase dataand/or suspend operation of the keyboard when tampering with one or moreof the button actuators is determined.
 5. The keyboard of claim 3,wherein the shield removal detection circuit comprises, for each of thedata entry buttons, a secondary capacitive sensor.
 6. The keyboard ofclaim 5, wherein the secondary capacitive sensor is arranged between thebutton actuator and the primary capacitive sensor.
 7. The keyboard ofclaim 5, wherein the secondary capacitive sensor is a self-capacitivesensor.
 8. The keyboard of claim 1, further comprising at least oneprinted circuit board, comprising one or more of the primary capacitivesensor and the secondary capacitive sensor.
 9. The keyboard of claim 8,wherein the primary capacitive sensor is arranged in an intermediatelayer of the printed circuit board.
 10. The keyboard of claim 1, whereinthe button actuator is dome-shaped.
 11. The keyboard of claim 1, whereinthe button actuator is made from metal.
 12. The keyboard of claim 1,comprising multiple data entry buttons, arranged in a matrix.
 13. Thekeyboard of claim 12, wherein the multiple data entry buttons arearranged to form a numeric keypad.
 14. The keyboard of claim 1, furthercomprising a keyboard controller, configured to control at least thecapacitance sampling of the primary capacitive sensor and to couple thebutton actuator to the defined electric potential at least during thecapacitance sampling.
 15. The keyboard of claim 1, wherein the definedelectric potential is ground.
 16. A point-of-sale device comprising atleast a point-of-sale transaction processor; one or more of data entrybuttons that can be depressed by a user; and for each of the data entrybuttons a button actuator, movable upon the user depressing therespective button; and a primary capacitive sensor, arranged todetermine movement of the button actuator of the respective data entrybutton by capacitance sampling; wherein the button actuator is at leastpartly made from a conductive material; and the button actuator iscoupled to a defined electric potential at least during the capacitancesampling to shield the primary capacitive sensor from eavesdropping. 17.A method of secure data entry with a keyboard having one or more of dataentry buttons that can be depressed by a user; and for each of the dataentry buttons, a button actuator, movable upon the user depressing therespective data entry button and being at least partly made from aconductive material; and a primary capacitive sensor; wherein the methodcomprises sampling of the primary capacitive sensor to determinemovement of the button actuator; and at least during the sampling,coupling the button actuator to a defined electric potential to shieldthe primary capacitive sensor from eavesdropping.
 18. The method ofclaim 17, wherein the keyboard is configured according to claim 1.